[ratelimits] new type of attack or stuck client?
wolfgang.rupprecht at gmail.com
wolfgang.rupprecht at gmail.com
Thu May 23 23:58:09 UTC 2013
Vernon Schryver writes:
> > From: "Wolfgang S. Rupprecht" <wolfgang.rupprecht at gmail.com>
>
> > Is this an attack or just a stuck client? Up to this point the only
> > attacks I saw were forged UDP/ANY against domains I'm authoritative for.
>
> 7 requests/sec (given 'responses-per-second 5', I assume there were 5
> "consider limiting" log messages before the 2 slips)
> isn't much of an attack even if the responses were 3 KBytes instead
> of practically empty NODATA.
The full logs from this client (requires ipv6 to access):
https://www.wsrcc.com/wolfgang/private/rrl-looping.txt
I probably misunderstood how slip works. I thought a value of "1"
meant a 1:1 reply with TC. The incoming query rate was
approx. 166 q/s in the second I counted. The average was ~44 q/s.
> 877 plus some number of 5 qps responses plus some other number of
> isolated queries over what period?
Over a 20 second period.
> I bet you've got some a too smart by half idiot using your cute name
> dumbcat.snafu.org as some sort of network health beacon.
This may well be a spamming trojan with a few bugs. dumbcat.snafu.org
has an ipv6-only host record. It is entirely possible the client
software didn't like not finding an A-record and getting a TC from
dns.
-wolfgang
--
g+: https://plus.google.com/114566345864337108516/about
More information about the ratelimits
mailing list